A mysterious hacker group is targeting online cryptocurrency exchanges by launching spear phishing attacks against employees and executives. The group, tracked as CryptoCore, Dangerous Password or Leery Turtle, is believed to have stolen more than $200 million fr om online cryptocurrency exchanges since 2018, according to a new report from the cyber-security firm ClearSky.

The group believed to be operating out of Eastern Europe region (Ukraine, Russia or Romania in particular) has been active since at least May 2018. In the first half of 2020 CryptoCore slowed down it activity, possibly due to the COVID-19 pandemic limitations, but did not stop altogether.

According to the researchers, while the CryptoCore group is not extremely technically advanced, it is swift and effective. The group mainly targets cryptocurrency exchanges in the United States, Japan, and the Middle East.

“The key goal of CryptoCore’s heists is to gain access to cryptocurrency exchanges’ wallets, be it general corporate wallets or wallets belonging to the exchange’s employees. For this kind of operation, the group begins with an extensive reconnaissance phase against the company, its executives, officers and IT personnel,” the report said.

To achieve their goal, the hackers leverage spear phishing attacks, primarily targeting the executives’ personal email accounts.

“Infiltrating the personal email accounts is an optional phase; however, it’s a matter of hours to weeks until the spear-phishing email is sent to a corporate email account of an exchange’s executive,” according to the report.

Typically, phishing messages are disguised as emails from a high-ranking employee either from the target company or from another organization with ties to the targeted employee.

Once gaining an initial foothold on the system, the hackers attempt to gain access to the victim’s password manager account wh ere the keys of crypto-wallets and other valuable assets are stored. The attackers then disable multi-factor authentication, and start transferring funds out of the exchange’s “hot wallets.”